Hackers stole almost everyone’s AT&T phone records. What should you do?

For what AT&T says is a portion of those records, the stolen data also included some people’s estimated locations.

The swiped location data is relatively unusual in a cyberattack, and it’s the part that freaked out Albert Fox Cahn, founder of the Surveillance Technology Oversight Project.

Your phone company logs the nearest cellular tower every time your device connects to its mobile network. That data is essentially a rough timeline and map of everywhere you go with your smartphone, including your home, work, house of worship, medical appointments and more.

“It’s such an invasive window into our lives,” Cahn said.

You can’t know for sure how this stolen AT&T information might be used against you. I’ll talk you through how to know if your data was swiped, what could go wrong and how to protect yourself.

Also, take a moment to feel furious. This data theft shows the risks from America’s largely unregulated personal data harvesting. You, and generally not the companies, bear the burden when companies fail to secure your information from thieves.

AT&T said it will notify affected customers by text, email or physical mail.

But if you had AT&T mobile service between the beginning of May and the end of October in 2022 or on Jan. 2, 2023, you should assume your phone records were stolen.

The swiped records include information like every number you texted and called and how many times you called your spouse in a given month and the cumulative time those calls lasted.

AT&T said monthly wireless and home telephone customers can go to this website to see the phone numbers of your calls and texts that were in the stolen records.

AT&T said that the names associated with accounts, Social Security numbers and credit card numbers weren’t stolen.

Again, the biggest potential risk may be from the stolen logs of AT&T customers’ locations.

AT&T didn’t say how many people’s swiped records included their approximate physical location from when a phone was connected to mobile service. But the location data from cellphones is so sensitive that the Supreme Court has said it generally deserves extra legal protections.

Police must have a warrant to obtain the kind of location data that thieves just stole from AT&T.

AT&T’s statement said it doesn’t believe the stolen phone records have been leaked online. But Cahn said the thieves could at any time sell the phone records to other criminals or post them on the web for anyone to see.

With information like the numbers you frequently call, a crook could impersonate your boss, brother or bank to get you to hand over money, said Frédéric Rivain, chief technology officer of the password management service Dashlane. (Although crooks already can and do impersonate your contacts’ phone numbers without stealing your phone records.)

In the wrong hands, the stolen location data from phone records could also be used to blackmail people having affairs, for criminals to find the homes of police officers and prosecutors or for abusers to track down their former romantic partners.

If you think I’m exaggerating: Phone location and call records from two Georgia prosecutors pursuing a legal case against former president Donald Trump were presented as evidence of their romantic relationship. And in 2021, a priest was ousted from his job after a conservative Catholic group used location information from the gay dating app Grindr to trace his movements to a gay bar and a gay bathhouse and spa.

It’s an unfair burden, but personal vigilance is your best defense.

If it seems like your sister is texting you in a panic to ask for bail money or if someone calls from what seems like your grandson’s phone number and says he’s holding your grandson for ransom, be suspicious. Hang up and try to reach your loved one directly or through a family member or friend.

Be extra vigilant about phone calls and texts that seem to come from your bank, too, in case crooks are impersonating the bank’s phone number.

AT&T said if you’re a target of fraud on your wireless number, you should report it to the company’s fraud team.

And if you typically have numerical codes texted to your phone to confirm your identity when you log into Facebook, a credit card account, your email or other websites, this might be a good moment for a security upgrade.

If you can manage it on your sensitive accounts, use an app like Authy or Google Authenticator that generates single-use codes instead of text messaged codes. Using an app instead of texts protects you from a serious but uncommon type of hack in which criminals intercept calls or texts to your phone number.

Cahn said the location data saved by AT&T and other cellphone providers is not something you can protect on your own. That’s on companies to keep safe.

He says he’s most worried that if the AT&T theft includes large amounts of location data, it could endanger vulnerable people, including victims of stalkers or intimate partner violence.

“Where it could be potentially really scary is for people who put a premium on protecting their location privacy,” he said.